From 363ce930a742ba754ffae3b7e248acd11233b655 Mon Sep 17 00:00:00 2001 From: Alex Wilson Date: Tue, 11 May 2021 03:49:29 +1000 Subject: [PATCH 1/7] joyent/sdc-docker#159 want support for "administrator" role (#160) Approved by: Dan McDonald --- lib/auth.js | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/lib/auth.js b/lib/auth.js index 68fb2c7b..6b65ba68 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -110,13 +110,14 @@ function authTls(req, res, next) { var account; var ufdsKey; + var adminRoleMembers; var login = cert.subjects[0].cn; - var authFunctions = [ getMainAccount ]; + var authFunctions = [ getMainAccount, getAdminRole ]; if (authCache.get(login) && authCache.get(login) === peerKeyFp) { log.debug('Cached authentication found token for %s', login); } else { - authFunctions.push(getKey, verifyKey); + authFunctions.push(getKey, getAdminRoleKeys, verifyKey); } // No support for account subusers at the moment @@ -138,12 +139,36 @@ function authTls(req, res, next) { }); } + function getAdminRole(_, cb) { + var roleFilter = '(&(objectclass=sdcaccountrole)(name=administrator))'; + ufds.listRoles(account.uuid, roleFilter, function (err, rs) { + if (err) { + cb(); + return; + } + + var adminRole = rs[0]; + if (!adminRole || !adminRole.uniquememberdefault) { + cb(); + return; + } + + var members = adminRole.uniquememberdefault; + if (!Array.isArray(members)) { + members = [members]; + } + + adminRoleMembers = members; + cb(); + }); + } + function getKey(_, cb) { ufds.getKey(account, lookupFp, function (err, key) { if (err) { log.info({err: err, login: login, authn: true}, 'ufds.getKey err'); - cb(new errors.UnauthorizedError(err)); + cb(); return; } ufdsKey = key; @@ -151,7 +176,46 @@ function authTls(req, res, next) { }); } + function getAdminRoleKeys(_, cb) { + if (ufdsKey) { + cb(); + return; + } + + vasync.forEachParallel({ + func: getUserKey, + inputs: adminRoleMembers + }, cb); + + function getUserKey(dn, ccb) { + /* + * Note scope: one not sub, the DN might be an account rather + * than a sub-user, and we don't want its sub-user's keys. + */ + ufds.search(dn, { + scope: 'one', + filter: '(&(fingerprint=' + lookupFp + ')' + + '(objectclass=sdckey))' + }, function (err2, userKeys) { + if (err2) { + ccb(err2); + return; + } + if (userKeys[0] && userKeys[0].pkcs) { + ufdsKey = userKeys[0]; + } + ccb(); + }); + } + } + function verifyKey(_, cb) { + if (!ufdsKey) { + log.info({login: login, authn: true}, 'key not found'); + cb(new errors.UnauthorizedError(err)); + return; + } + var key; try { key = sshpk.parseKey(ufdsKey.pkcs); From d1eb32a71906840a97a980a173269f928ec52cfd Mon Sep 17 00:00:00 2001 From: Dan McDonald Date: Tue, 11 May 2021 11:37:09 -0400 Subject: [PATCH 2/7] want support for administrator role (remove extraneous err) Approved by: Mike Zeller --- lib/auth.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/auth.js b/lib/auth.js index 6b65ba68..26117012 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -5,7 +5,8 @@ */ /* - * Copyright (c) 2016, Joyent, Inc. + * Copyright 2021 Joyent, Inc. + * Copyright 2021 Alex Wilson */ /* @@ -194,8 +195,8 @@ function authTls(req, res, next) { */ ufds.search(dn, { scope: 'one', - filter: '(&(fingerprint=' + lookupFp + ')' + - '(objectclass=sdckey))' + filter: '(&(fingerprint=' + lookupFp + ')' + + '(objectclass=sdckey))' }, function (err2, userKeys) { if (err2) { ccb(err2); @@ -212,7 +213,7 @@ function authTls(req, res, next) { function verifyKey(_, cb) { if (!ufdsKey) { log.info({login: login, authn: true}, 'key not found'); - cb(new errors.UnauthorizedError(err)); + cb(new errors.UnauthorizedError()); return; } From b27c106bf716e1f9d57099011d145b3562d93f3a Mon Sep 17 00:00:00 2001 From: Brian Bennett Date: Wed, 14 Jul 2021 11:31:21 -0700 Subject: [PATCH 3/7] TRITON-2231 Update documented IRC channel (#162) Reviewed by: Dan McDonald --- docs/guide/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guide/README.md b/docs/guide/README.md index e21b439c..48894544 100644 --- a/docs/guide/README.md +++ b/docs/guide/README.md @@ -44,7 +44,7 @@ The Docker Engine for SDC is currently in alpha and under heavy development. The current focus is on stabilization and filling out support for *building* and *running* Docker containers. Please [report issues](https://github.com/joyent/sdc-docker/issues), -give us feedback or discuss on [#joyent IRC on freenode.net](irc://freenode.net/#joyent). +give us feedback or discuss on [#joyent IRC on libera.chat](irc://libera.chat/#joyent). ### 3. sdc-docker-setup.sh From 83d944af8a71da3039229c4b21610e50a5f0b82d Mon Sep 17 00:00:00 2001 From: Brian Bennett Date: Tue, 31 Aug 2021 10:01:33 -0700 Subject: [PATCH 4/7] triton-cns#25 Better support for SRV records (#164) --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index b765cb26..1bc49e3e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "sdc-docker", - "version": "0.7.3", + "version": "0.7.4", "author": "Joyent (joyent.com)", "private": true, "dependencies": { @@ -28,7 +28,7 @@ "strsplit": "1.0.0", "tape": "^4.4.0", "trace-event": "1.2.0", - "triton-tags": "1.3.0", + "triton-tags": "1.4.0", "ufds": "1.2.0", "vasync": "2.1.0", "verror": "1.9.0", From 14699b81db1718dd925069ec9a8b92afd25a1d46 Mon Sep 17 00:00:00 2001 From: Brian Bennett Date: Tue, 7 Sep 2021 16:18:10 -0700 Subject: [PATCH 5/7] TRITON-2254 Change joyMattermostNotification to joySlackNotifications (#165) --- Jenkinsfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0c058b55..d8f4534f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,10 +5,10 @@ */ /* - * Copyright 2020 Joyent, Inc. + * Copyright 2021 Joyent, Inc. */ -@Library('jenkins-joylib@v1.0.6') _ +@Library('jenkins-joylib@v1.0.8') _ pipeline { @@ -54,7 +54,7 @@ pipeline { post { always { - joyMattermostNotification(channel: 'jenkins') + joySlackNotifications(channel: 'jenkins') } } From 067e1fc893b271f76bbec49f296edaadfa27c45d Mon Sep 17 00:00:00 2001 From: Brian Bennett Date: Tue, 5 Oct 2021 17:20:48 -0700 Subject: [PATCH 6/7] TRITON-2257 portal docker features broken by node 4/6 auth barrier (#166) Reviewed by: Dan McDonald --- .eslintrc | 46 +++++++++++++++++++++++++++++++++++++++++++++ .gitmodules | 3 --- Jenkinsfile | 2 +- Makefile | 15 +++++++-------- deps/javascriptlint | 1 - 5 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 .eslintrc delete mode 160000 deps/javascriptlint diff --git a/.eslintrc b/.eslintrc new file mode 100644 index 00000000..23897f21 --- /dev/null +++ b/.eslintrc @@ -0,0 +1,46 @@ +{ + "plugins": [ "joyent" ], + "extends": [ + "eslint:recommended", + "plugin:joyent/style", + "plugin:joyent/lint" + ], + "parserOptions": { + "ecmaVersion": 6, + "sourceType": "script", + "ecmaFeatures": { + } + }, + "env": { + "node": true, + "es6": true + }, + "rules": { + // Local rule configuration + "no-unused-vars": [ + "error", + { + // Track all unused identifiers + "vars": "all", + "args": "all", + "caughtErrors": "all", + // Don't warn on args that start with _, res or req. + // Added stdout and stderr to the standard joyent set. + "argsIgnorePattern": "^(_|res|req|stdout|stderr)", + // Don't warn on catch or var identifiers that start with _ + "caughtIgnorePattern": "^_", + "varsIgnorePattern": "^(_|res|req|stdout|stderr)" + } + ], + "max-len": [ + "error", + 80, + { + "tabWidth": 8, + "ignoreComments": false, + "ignoreTrailingComments": false, + "ignoreUrls": true + } + ], + } +} diff --git a/.gitmodules b/.gitmodules index 93fa9567..7439c78b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "deps/javascriptlint"] - path = deps/javascriptlint - url = https://github.com/joyent/javascriptlint.git [submodule "deps/jsstyle"] path = deps/jsstyle url = https://github.com/joyent/jsstyle.git diff --git a/Jenkinsfile b/Jenkinsfile index d8f4534f..19b7f1c8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,7 +13,7 @@ pipeline { agent { - label joyCommonLabels(image_ver: '15.4.1') + label joyCommonLabels(image_ver: '19.4.0') } options { diff --git a/Makefile b/Makefile index 2d6771f4..b673ff3f 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ # # -# Copyright (c) 2019, Joyent, Inc. +# Copyright 2021 Joyent, Inc. # NAME:=docker @@ -17,18 +17,16 @@ RESTDOWN_FLAGS = --brand-dir=deps/restdown-brand-remora TAPE := ./node_modules/.bin/tape JS_FILES := $(shell find lib plugins test -name '*.js' | grep -v '/tmp/') -JSL_CONF_NODE = tools/jsl.node.conf -JSL_FILES_NODE = $(JS_FILES) +ESLINT_FILES = $(JS_FILES) JSSTYLE_FILES = $(JS_FILES) JSSTYLE_FLAGS = -f tools/jsstyle.conf SMF_MANIFESTS_IN = smf/manifests/docker.xml.in CLEAN_FILES += ./node_modules -NODE_PREBUILT_VERSION=v4.9.0 +NODE_PREBUILT_VERSION=v6.17.1 ifeq ($(shell uname -s),SunOS) - NODE_PREBUILT_TAG=zone - # Allow building on other than image sdc-minimal-multiarch-lts@15.4.1. - NODE_PREBUILT_IMAGE=18b094b0-eb01-11e5-80c1-175dac7ddf02 + NODE_PREBUILT_TAG=zone64 + NODE_PREBUILT_IMAGE=5417ab20-3156-11ea-8b19-2b66f5e7a439 endif ENGBLD_USE_BUILDIMAGE = true @@ -55,7 +53,8 @@ RELSTAGEDIR:=/tmp/$(NAME)-$(STAMP) COAL ?= 10.99.99.7 -BASE_IMAGE_UUID = 04a48d7d-6bb5-4e83-8c3b-e60a99e0f48f +# triton-origin-x86_64-19.4.0 +BASE_IMAGE_UUID = 59ba2e5e-976f-4e09-8aac-a4a7ef0395f5 BUILDIMAGE_NAME = $(NAME) BUILDIMAGE_DESC = SDC Docker Engine AGENTS = amon config registrar diff --git a/deps/javascriptlint b/deps/javascriptlint deleted file mode 160000 index ad52812e..00000000 --- a/deps/javascriptlint +++ /dev/null @@ -1 +0,0 @@ -Subproject commit ad52812e77bdfb1e90fb71a1201adb2b665a27e6 From 73bed195c81138c2177071905ac4fb01d0d4fa03 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Tue, 16 Nov 2021 13:03:03 +0100 Subject: [PATCH 7/7] Fix make check --- lib/backends/sdc/networks.js | 72 +++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 33 deletions(-) diff --git a/lib/backends/sdc/networks.js b/lib/backends/sdc/networks.js index 84c3947d..e5ef7168 100644 --- a/lib/backends/sdc/networks.js +++ b/lib/backends/sdc/networks.js @@ -5,7 +5,7 @@ */ /* - * Copyright (c) 2017, Joyent, Inc. + * Copyright 2021 Joyent, Inc. */ /* @@ -789,11 +789,16 @@ function addNetworksToContainerPayload(opts, container, payload, callback) { next(findErr); return; } - payload.networks = [ {ipv4_uuid: network.uuid, primary: true} ]; - if (container.NetworkingConfig.EndpointsConfig[networkMode] != undefined) { - var ipv4Addr = container.NetworkingConfig.EndpointsConfig[networkMode].IPAMConfig.IPv4Address; + payload.networks = + [ {ipv4_uuid: network.uuid, primary: true} ]; + if (container.NetworkingConfig.EndpointsConfig[networkMode] + != undefined) { + var ipv4Addr = + container.NetworkingConfig. + EndpointsConfig[networkMode].IPAMConfig. + IPv4Address; if (ipv4Addr) { - payload.networks[0].ipv4_ips = [ ipv4Addr ]; + payload.networks[0].ipv4_ips = [ ipv4Addr ]; } } @@ -824,11 +829,10 @@ function addNetworksToContainerPayload(opts, container, payload, callback) { /* * We need to verify that if a user passed in networks with IPs that none - * of the IPs are considered "managed". NAPI will handle other validations - * for us. + * of the IPs are considered "managed". NAPI will handle other + * validations for us. */ function verifyNetworkIPs(_, next) { - var pipeline = []; var napi = getNapiClient(opts.config.napi); var networksWithIps = []; payload.networks.forEach(function forEachNetwork(net) { @@ -839,31 +843,33 @@ function addNetworksToContainerPayload(opts, container, payload, callback) { } }); - vasync.forEachPipeline({ - 'func': function validateIp(network, done) { - napi.getIP(network.ipv4_uuid, network.ipv4_ips[0], - function napiGetIp(err, ip) { - if (err) { - done(err); - return; - } - if (ip.belongs_to_type === 'other' || - ip.owner_uuid === opts.config.adminUuid) { - done(new errors.InternalError('Cannot use Managed IP')); - return; - } - done(null, ip); - }); - }, - 'inputs': networksWithIps - }, function (err) { - if (err) { - next(err); - return; - } - next() - return - }); + vasync.forEachPipeline({ + 'func': function validateIp(network, done) { + napi.getIP(network.ipv4_uuid, network.ipv4_ips[0], + function napiGetIp(err, ip) + { + if (err) { + done(err); + return; + } + if (ip.belongs_to_type === 'other' + || ip.owner_uuid === opts.config.adminUuid) { + done(new errors.InternalError( + 'Cannot use Managed IP')); + return; + } + done(null, ip); + }); + }, + 'inputs': networksWithIps + }, function (err) { + if (err) { + next(err); + return; + } + next(); + return; + }); }, function runModifyProvisionNetworksPlugins(_, next) {